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Abstract. Circular coinductiou is a technique for behavioral reasoning 
that extends cobasis coinductiou to specifications with circularities. Be- 
cause behavioral satisfaction is not recursively enumerable, no algorithm 
can work for every behavioral statement. However, algorithms using cir- 
cular coinduction can prove every practical behavioral result that we 
know. This paper proves rhe correctness of circular coinduction and some 
consequences. 


1 Introduction 

Software and hardware systems are growing in complexity, with ever greater 
possibilities for subtle errors: these can produce significant loss, including human 
life. Unfortunately, building complex reliable systems is very difficult, due to 
incompleteness and rapid evolution of requirements, and to difficulties in writing 
and understanding specifications. One approach is through formal methods, with 
its two best known branches being model checking and theorem proving: these 
can reveal inconsistencies, ambiguities and exceptions that could be expensive 
or impossible to detect otherwise. 

This paper is part of our effort to design, implement, evaluate and popularize 
formal method tools for behavioral specification and verification. Our Tatami 
system [15,12,11] and its BOBJ component 1 , a behavioral specification and 
verification language of the OBJ family, use hidden algebra [9, 17]. Although our 
work is mainly on theorem proving, our results also have implications for model 
(‘becking: in particular, only one state in a behavioral equivalence class needs to 
be stored, and instead of hashing all visited states, a behavioral model checker 
can just check whether a new state is equivalent to one already stored; this is 
actually how our CCRVV [14] (circular coinductive rewriting) algorithm works in 
its BOBJ implementation. 

1 BOBJ conies from “Behavioral OBJ," where “OBJ'’ [20] names a family of algebraic 
programming and specification languages based on parameterized programming and 
order sorted term rewriting and algebra, possibly enriched with other logics. 


Snmr result* in tills puper wi'tv sketched m [2Sj and 1 1 tl | >liiiH -lit < ■< i by K.'li 
f-in in BOB.J ;l L 13]. I >u r rhis paper gives Mu* first correctness proof for cireu- 
lar roim luct ion. and for some of its consequences. Although our examples use 
BOM.J. we do not present BOB.f in detail, hut only the features needed for 
these examples. Hie latest information on hidden algebra, including the most 
reeem papers, links to related work, and online tutorial material. ran l>e found at 
wvv.cs.ucsd.edu/users/goguen/projs/halg.html. the hidden algebra homepage. 


2 Hidden Logic 


Today s software systems often follow the ‘object paradigm.” which may be 
described as having: 

1. object* with local state and operations that modify or observe them, called 
methods and attributes, respectively; 

2. ( hisses that classify objects through an inheritance hierarchy : and 

3. concurrent distributed execution. 

Hidden algebra formalizes the object paradigm, but also includes ordinary pro- 
grams ami components. Our behavioral approach is motivated by the fact that 
cleverly designed systems often fail to satisfy their requirements strictly, but in- 
stead only satisfy them bchnrio rally. in the sense of appearing to satisfy them 
under all possible experiments. 

Hidden algebra was introduced [9] to give algebraic semantics for the object 
paradigm, and developed further in [10,16,4. 17] among other places. One dis- 
tinctive feature is a split of sorts into risible and hidden, where visible sorts are 
for data and hidden sorts are for objects. A model, or hidden algebra, is an ab- 
straction of an implementation, consisting of the possible states, with concrete 
functions for the attributes and methods, from states to data and to states, 
respectively (hence, an attribute "observes states by returning a visible value, 
while a method modifies states): i.e.. a hidden algebra is an algebra that includes 
a data universe. 

Hidden logic is the generic name for various logics closely related to hidden 
algebra, giving sound rules for behavioral reasoning that are easily automated. 
Following [5], we distinguish two classes of hidden logics, depending on whether 
the data universe, of "built-ins/ is assumed fixed or not. The first versions of 
hidden logic took the fixed data approach, but we recently noticed that all our 
inference rules are sound for the larger class of models which need not protect 
data. Since there are also loose data versions of hidden logic, such a s coherent 
hidden algebra [7,8] and observational logic [1,2. 21], we decided not to restrict 
our exposition to the fixed data case. Nevertheless, the fixed data hidden logics 
are often desirable, since real applications use standard booleans and integers 
rather than arbitrary models: for example, the alternating bit protocol cannot 
be proved correct unless implementations which do not distinguish 0 from 1 are 
forbidden. 



A * I* r ;u I# •< ! [iif ,s< *i it ;i( i< »f i <>f various hidden lories appears in [2(>j together with 
relations f * » many nriier concepts. ;i history of hidden algebra with citations, 
and proofs tor some results mentioned hut not proved her*'. We now introduce 
some of r he most basic concepts, assuming familiarity with ordinary many sorted 
algebra: 

Definition 1. Given disjoint sets l . f{ milt'd visible and hidden sorts, a 
loose data hidden ( \ . /f 'i-signature is a wain) sorted fl' U H \- sign at are. 
.4 fixed data hidden { 1 . // '-signature is a pair (AT. £)» where _A is a loose 
data hidden (l . F! ) -siynat are ami D . railed tin: data algebra, is a many s torted 
AT; i -algebra. .4 loose data hidden subsignature of AT is a loose data hidden 
{l , FF )- signature F with F C AT and F\ Y = A7IY- -4 fixed data hidden subsig- 
nature of (AT. D) is a fired data hidden (\\ FI) -signature (F.D) over the same 
data with F C AT and F\y = ATfc. The operations in A7 with one hidden argu- 
ment and visible result are called attributes, those with one hidden argument 
ami hidden result are railed methods, those with two hidden arguments and 
hidden result are railed binary methods, and those with only (zero or more) 
visible arguments and hidden result are called hidden constants. 

Hereafter we may write "hidden signature" instead of loose data hidden [W H)- 
signature or "fixed data hidden f I ", //)-signafure.” since we don't need to dis- 
tinguish them; also we often write AT for (AT. D). 

Definition 2. .4 loose data hidden AT-algebra .4 is a I? -algebra, and. a fixed 
data hidden { AT. D i-algebra .4 is a A 7 -algebra A such that .4 : ^> v — D. 

Again, we often write just hidden algebra. A hidden algebra can be regarded 
as a “blackbox, the inside of which is not seen, since one is only concerned with 
its behavior under experiments. Notice that fixed data hidden algebras protect 
their data: for example, such an implementation of a stack of natural numbers 
does nor corrupt its builtin natural numbers. 

W e next formalize r he notion of "experiment," which informally is an obser- 
vation ot ail attribute of a system after it has been perturbed by some methods, 
using the mathematical concept of context: the symbol • below is a placeholder 
for the state being experimented upon. 

Definition 3. Given a hidden subsignature f of AT, an ( appropriate ) /"-context 
for sort s is a term in 7Y({« : s} U Z ) having exactly one occurrence of a spe- 
cial variable " • of sort s, where Z is an infinite set of special variables . Let 
tV[* : s] denote the set of all F - contexts for sort s. and uar(c) the finite set of 
variables in a context r except •. .4 F -context with visible result sort is called 
a /"-experiment; let t r[ # • *’] denote the set of all F -experiments for sort s. 
When the sort of experiments is important, we use the notation CY,a'[* • for the 
r -contexts of sort s' for sort s , while Sr,v[* ■ •*] denotes all the F -experiments 
of sort v for sort s. If c 6 : ■*] and t € 7V, ( A' ). then c[f] denotes the 

term in ^ (vnr(c) U -V) obtained from c by substituting t for •; formally , 

Special variables are assumed different from any other variables in a given situation. 



rj/| ~ <• — *■ where (• — 1 1 ': /V{ enr{ r) U {• : s [ i -> /V ( rnr[ r MJ A ) is 

the unique extejisinn of the map (• — > t) : ctir{r) ( j { • : s } — • 7V(r#/r(r) U A ) 
which ts identity an ror{r | and takes • : s to t. Furthermore. r qcnrrntrs a map 
. I, : .4, — > — * .4 S '] on each E-nlgehra A. definnl by .4 ( (i/)(^} “ 

where tty is thr. unique extension of thr map (drnott </ n tt I that takes • to a and 
each ; ^ ear{c) to ti( :). 

riio inr^Tf'st mg * •x[>t‘rimt v nts an* those of hidden sort, i those with .s £ H\ 
experiments of visible sort an* allowed just to smooth r 1 1 * » presentation. 

now define a < list itiof ive feature of hidden logic. behavioral equivalence. 
Intuitively, two states are behaviorally (Mini valent iff they cannot be distinguished 
by any experiment that can be performed on the system. 

Definition 4. Given a hidden £ -algebra A and a hidden subsignature r of 27, 
the equivalence given by a = £ a 9 iff A~, (a)(9) — .4^(a')(#) for all r -experiments 
y and all maps 9: rur(y) -> .4 is called /"-behavioral equivalence on .4. 
He may write = instead of when 27 and r ran be inferred from context, 
and we write = r when 27 = F. Given any equivalence ~ on .4. an operation 

a in 27.,, ... Jn<5 w congruent for - iff A^idi a n ) - \ a' n ) whenever 

o t n\ for i = .4n operation a is /"-behaviorally congruent for .4 iff 

it is congruent for = £. We often trrite just ** congruent " instead of "behaviorally 
congruent 5 . .4 hidden /"-congruence on .4 is an equivalence on A which is 
the identity on risible sorts and for which each operation in F is congruent . 

The following is r fie basis for several results below, generalizing a result in [17] 
to operations that have more than one hidden argument or are not. behavioral; 
see [27. 26] for a proof. Since final algebras do not necessarily exist in this setting, 
existence of a largest hidden /"-congruence does not depend on them, as it does 
in coalgebra [29.23. 221. 

Theorem 1. Given a hidden subsignature r of 27 and a hidden 27 -algebra .4. 
then r -behavioral equivalence is the largest hidden F -congruence on .4. 

Definition 5. .4 hidden 27 -algebra .4 /"-behaviorally satisfies a 27 -equation 
(VA ) / = t f , say e , iff 0 (t) = t 9(t 9 ) for each 0: X —> .4; in this case we wrute 
A e . If E is a set of 27 -equations, we write .4 E if A F -behaviorally 

satisfies each E -equation in E. 

W hen 17 and /" are clear from context, we may write = and ^ instead of 
= £ and respectively. Also, to simplify the presentation, we only consider 

unconditional equations here, but the theory also allows conditional equations 
[17. 18,26]. 

Definition 6. A behavioral (or hidden/ 27 -specification (or -theory/ is 
a triple (27, r, E) where E is a hidden signature, /" is a hidden sub signature 
of 27. and E is a set of E -equations. The operations in T — 27 fv are called 

3 A similar notion was given by Padawitz in [24]. 



behavioral. HV usually li t E. E* , E[ , etc., denote behavioral spe< tjirahons. A 
hidden E-alyehia A bohaviorally satisfies (or is a model oO a behavioral 
spec ijieut ton E - [E. ['. E} iff A E. and in this ease we unite .4 ^ E: we. 

write E ^ e if .1 ^ E implies .4 e. An operation rr £ E is behaviorally 

congruent for E iff rr is hrhurionilly eonyruent for every A ^ E. 

Tin* following gives the existence of many congruent operations: 

Proposition 1. If E — (E.E.E i is a behavioral speri.fi.eat ion. then all opera- 
tions in r. and nil hidden constants, are behaviorally eonyruent for E. 

Of course, depending on E . other operations may also be congruent ; in fact, our 
experience is that all operations are congruent in many practical situations. 

2.1 An Example 

We illustrate our concepts an example with infinite streams. These are common 
in the formal specification and verification of protocols, where they serve as 
inputs and outputs. 

bth STREAM is sort Stream . 
protecting NAT . 
op head : Stream -> Nat . 

op tail : Stream -> Stream . 

op : Nat Stream -> Stream . 

op odd : Stream -> Stream . 

op even : Stream -> Stream . 

op zip : Stream Stream -> Stream . 


var N : Nat . vars S S’ : Stream . 
eq head(N k S) * N . *** 1 

eq tail(N k S) = S . *** 2 

eq head(odd(S)) = head(S) . *** 3 

eq tail(oddCS)) = even (tail (S) ) . *** 4 

eq head(even(S) ) = head(tail (S) ) . *** 5 

eq tail (even(S) ) = even(tail(tail(S) ) ) . *** 6 

eq head(zip(S ,S * ) ) = head(S) . *** 7 

eq tail(zip(S,S’)) « zip(S ’ , tail(S) ) . *** 8 

end 


As usual, head, tail and give the first element, the elements after the first, 
and place an element at the front of a stream, respectively, while odd and even 
give the streams of elements in the odd and even positions, respectively, and zip 
interleaves two streams. 

A behavioral theory is declared in BOBJ via the keywords bth . . . end, with 
the signature and the equations in between. All sorts declared in a behavioral 
theory are considered hidden; the visible sorts (here Nat) are imported from 



some visible (daia) spi»rifir;ir ion (ln i n* NAT). Also nperaf ions are behavioral I »v 
< 1* *f ;it i i f : an operation nut intended to be behavioral (which is rather ran* in 
practice) is given the attribute ncong The models of a behavioral rheorv am 
tho hidden algebras that behaviorally satisfy all its equations. In our case. the 
standard model is that of infinite lists of natural numbers. with head and tail 
as expected (the tail of an infinite list is infinite), and for example. odd( i 2 3 4 
56789...) is 13579..., even (123456789 ...) is 2 4 6 
8 .... and zip (1 3579 ...,2468 ...) is 1 23456789 .... 
However, there may also he non-standard models: for example, the model with 
exactly one element in each carrier is valid tor any loose data hidden theorv. 

[n this example. T contains all tin* operations, because all of them are behav- 
ioral by default. Therefore, head(*). tail(#). head (tail (zip (odd (•) , c))), 
are all /"-contexts. If A is the standard infinite list model, then two lists are 
behavior ally equivalent iff they have the same elements in the same order. How- 
ever. there are models where a stream is an infinite tree, or some other infinite 
structure, and elements can be behaviorally equivalent but nor equal. 

One can show that head and tail suffice <is behavioral operations, since 
together they can observe all behaviors of states, and thus define the behavioral 
equivalence. There are at least two approaches to behavioral operations: one 
says that r should contain as few operations as possible, and the other says it 
contain as many as possible. We advocate the second approach, since it is natural 
in ir to select various subsets, called cobases, that support simple coinduction 
proofs. Moreover, any operation that is consistent with the intended behavior 
of a specification, i.e. that preserves the behavioral equivalence, can be added 
to r without changing the behavioral equivalence relation [26]. and there are 
convenient congruence criteria ro determine whether this is the ease, as described 
in Subsection 4.3. 

3 Hidden Equational Deduction and Cobasis Coinduction 

This section presents our latest version of behavioral deduction, excluding circu- 
lar coinduction, which is described in the next section, and "explicit coinduction*' 
[17], where the user must provide an explicit relation, since this is difficult to au- 
tomate. However, we do discuss cobasis coinduction (also called Jl-coinduction), 
because the relation that it uses can be generated automatically from a cobasis 1 *. 
We expect future work to yield further improvements in mechanizing coinduc- 
tion. 

3.1 Hidden Equational Deduction 

Ordinary equational deduction is unsound for behavioral satisfaction, because 
the congruence deduction rule is unsound for operations that are not behaviorally 
congruent (e.g., for NDSTACK in [18]). The rules below modify the usual equational 


4 Cobases are introduced in the next section. 



i It lu< r n >n fu ;immut for this. VV<- fix a speciticar mu t< — ( 2/, [\ //) and let — E 
b<> definrd oil forms by ( Ij (">) below. 

( l } Reflexivity : 

(2) Symmetry : 


/ =t\, r 

>' =A’„ * 


I3j Transitivity : 


E‘l 

[ =£,/ >' = g„ 

' s E H 


. W)t = t'eE. 6: Y -->7V(.Y). 9(t,) = E 0(t, 

(4) Substitution : __ =2Z 

9(t) ~ Eq OiV) 


o) Congruence 


t = 


a » 


= Eq f> ' ^') C T 


hi — 


<7(U*.f'). for each <r 6 Deri 27) 
t ^Eq t*) € // 


f)(U ./) =£* <)(tl . for each congruent ») € 


If a is any derived operation over 27 having an argument of sort s. and if t is 
ft —-term of sort .s. then for simplicity we let < 7 ( 11 . M denote the term obtained 
from <7 replacing its argument of sort s by t and using some distinct variables 
U for the other arguments. 

L alike equational logics, the deduction system above is not complete. In fact, 
behavioral satisfaction is a /75-hard problem [5], so one cannot find an automatic 
procedure to prove all true statements or disprove all false statements. For the 
example in Subsection 2.1. one can relatively easily prove 

head (zip (N k S, S’)) = Eq head(N k zip(S\ S)), 
tail (zip (N k S, S’)) = E tail(N k zip(S\ S)). 
head(zip(odd(S) , even(S’))) = E head (S), and 
head(tail ( (zip(odd(S) , even(S’)))) = Eq head(tail (S) ), 
head (tail 100 ( (zip(odd(S) , even(S’)))) = Eq head(tail l 00 (S) ), 

and much more, but it is not possible to prove any of the following: 

even (N k S) = Eq odd(S). 
zip (N k S, S’) = E N k zip(S ’ , S), 
zip(odd(S), even(S)) = Eq S, 
odd(zip(S , S’)) = Eq S. 

We will see that some of these can be proved by cobasis coinduction, while others 
need circular coinduction. 


.{.2 Complete Sets of Observers 


A compUtc s i t iff observers [3] is a set of contexts rli.it c.ui “generat v" all exper- 
iments on a system. The following definition is adapted from [3] to our notation 
and terminology: 

Defi nition 7 . Given a hidden siyvnhtrr f\ a complete set of observers for 
r is a srt i>f r -rontr.rts. say A. such that for' rack r-e.rperinnnt y ►£ £'/■[•] there 
is soma f ~ronti .it f) £ A whirh is a snbconftwt' iff 

This says that every experiment y has the form '/[a] tor some otlier “smaller ’ 
experiment y' and some <) 6 A. This notion already has a dual flavor to that of 
basis for structural induction, where for each element t of an abstract data type, 
there is some other element t ' and an operation 6 in the basis such that t = r)[/']. 
The following provides two easy examples: 

Proposition 2. For any r. both r and <fr[ # ] are complete sets of observers. 

Consider the hidden subsignature T of the signature of streams in the exam- 
ple in Subsection 2.1 containing only the operations head and tail. Obviously, 
c r[ # ] consists of all the terms of the form head( tailf ...(tail! •)))). for an arbi- 
trary number of occurrences of tail. Then it is easy to see that 

A[ — {head( • u tail!*)} = F. 

A > — { headf • ) , head(tail( •) ). tail{ tail! • ) ) } . 

-A { = { headi • t. head( tail( •)). head( tail( tailf •) ) ) . tail( tail( tail! •) ))}. 

-U = £>[•]• 

are all complete sets of observers for r. 

To simplify writing we ambiguously let F also denote the subset of T- 
rontexts obtained directly, without composition. from the operations in T, such 
;vs A i above. 

As with induction, where some bases can be better than others for particular 
proofs, it is possible that some different complete sets of observers are better for 
different applications. For example, if one defines a stream blink by 

eq head(blink) = 0 . 
eq head(tail (blink)) = 1 . 
eq tail(tail (blink) ) = blink . 

then it is almost certain that the complete set of observers above is better 
than the others. (The stream blink is 0 1 0 1 . . ..) 

We do not further develop this topic here, here but refer to [ 3 , 26 ]. However, 
we would mention a disadvantage of complete sets of observers, that they do not 
take into account the whole specification but only its signature. In particular, 
in the example in Subsection 2.1 where r = A 7 contains all the operations, it is 
pretty cumbersome to find an appropriate complete set of observers. 

4 That is, a subterin; notice that i) necessarily contains the variable • from 7. 



3..‘J Strong Co has<*s 


The mnif)Ii‘fi» formal definition of a strong cobasis is < | m t f » • technical and not 
relevant to our work, so we skip if. Intuitively. a strong cobasis is a complete s< *t 
of observers that takes into account the equations of a s[)ecification in showing 
that for each /"-experiment * there is some context a t -A which is a subcontext 
of V'. 

In the example of streams witli r = 27. one can tediously prove bv induction 
on the structure of contexts that any experiment is equal to an experiment 
containing only head and tail operations, so all the complete sets of observers 

-Ai- -i-j for r ~ {head, tail} in the previous subsection really are 

strong cobases for the original specification of streams. A less intuitive strong 
cobasis for streams is {head, odd, even}, and one can also tediously show that 
any experiment is equivalent to an experiment containing only head, odd and 
even. Intuitively, this is because the three operations can "observe" any element 
in a stream. For example, head (even(odd (odd(S) ) ) ) observes the fifth element 
of S. while the experiment head (even (even(odd(even(odd (S) )))) ) observes 
the 27th element: 


S 

odd (S) 

even (odd (S) ) 
odd (even (odd (S) ) ) 
even (odd (even (odd (S) ) ) ) 
e ven ( e ven (odd (even (odd (S) ) ) ) ) 
head (even (even (odd (even (odd (S) ) ) ) ) ) 


= (i[ <i > (in (l i n.i a* a- a* u<» ■ ■ ■ 

= <q (in u.-> U7 a# un n i.{ U[*> *** 

— <( \ <1 - flu U [-j (( . j UJ7 U;’i ■ ■ ■ 

— (i \l till i r> a-t- (/.;-) </ i;5 ‘ • 

— dl\ Uj7 if { ;{ */-)!) ‘ • * 

— U j 7 (/.-><» * ■ * 

— ( I _> 7 


I here are situations where the latter cobasis is better than the standard one: 
see [2G] for a detailed presentation of strong cobases, together with more elegant 
proofs that the above are all strong cobases, and a proof that any complete set. 
of observers is a strong cobasis. 


3.4 General Cobases 

Our general notion of cobasis (see also [18, 19,25]) is as follows: 

Definition 8. If P f = (27' , T ' , E f ) is a conservative extension of 6 — (27 ,T,E) 
and if A C 27\ then A is a cobasis for P iff for all hidden sorted terms 
tit 9 6 if B* ^ (VH, AT) 6{WA) — for all appropriate S € A 

then P 1== (V-V) t = t*. 

The following is a key first step toward automation of coinduction; it wits first 
proved in [27]: 

Theorem 2. Every strong cobasis is a cobasis. 

To ease presentation, from now on suppose that A is a cobasis of P with 
P' = (Der(E)j 77 E) and A C Der(r ), where Der(l 7) denotes the set of all 
27-derived operations. 



3.5 zA-G'oiinliictioii 


( )nc<‘ ;i col >;usis is available. roinducrinn ran be applied automat ieallv. Let = ^ J 
l»r filr rrlafion generated*' by rulrs f l) (.1) in Subsection 3.1. plus 


(6) _\-Coinduction 


j *>( 1 1 . /M for all appropriate a t -A 


f = 


£a/._i 


1 hr following is immrdiatr Fr< jin the drhnirion of rolutsis; 

Proposition 3. = f(/ C J C = . 

Thus. to prove that terms t,t’ are behaviorally equivalent . it suffices to show that 
f =£i/.j *' ■ hi particular, in our stream example, where J = (head(«), tail( •) } 
is a co base, one can immediately prove by -A-coinduction and equational reason- 
ing that 


zip|N&S,S') = g j NcVjzip(ShS). 

by showing that head applied either term is N. and that tail applied to either 
term is zip (S’ , S). One can also prove even(N^S) = £» ^ odd(S). and manv 
other similar behavioral properties. 


4 Circular Coinduction 

This section gives an inference rule for behavioral reasoning, called circular con- 
duction. since it handles some examples with circularities (i.e.. infinite recur- 
sions! that could not be handled by previous rules here (or in [27, 18. 19. 2ol H 
we may also call it circular -A-coinduction or -A -coinduction. 

After exploring how to prove the congruence of operations in [27] (see also 
[26] and Subsection 4.3 below), we became convinced that this does not dif- 
fer essentially from proving other behavioral properties, except perhaps that it 
is usually easier. Also certain “coinductive patterns" that appeared in specifv- 
ing operations inspired a congruence criterion that could automatically decide 
whether an operation is congruent [27, 26]; moreover, this criterion followed from 
the -A-coinduction rule and was strong enough for all proofs we knew at that 
time. But the fact that the congruence of zip in Subsection 2.1 (in the con- 
text in which only head and tail are declared behavioral) didn’t follow by that 
criterion, suggested that more powerful deduction rules were needed. 

Bidoit and Hennicker [3] gave a general congruence criterion from which 
the congruence of zip followed easily. Influenced by the relationship between 
-A-coinduction and the congruence criterion in [27], we sought a general infer- 
ence rule from which the criterion in [3] would follow as naturally as our cri- 
terion in [2/] followed from -A-coinduction, and which could prove behavioral 
properties not provable by -A-coinduction. The result of this search was circular 
.A-coinduction, as presented in this section and implemented in BOBJ [14]. 

b Strictly speaking, = should be replaced by = g A in rules (l)-(o). 



4.1 Limitations of *A-Coiiiduetion 

firsr giw some examples wln-rc the six rules rn Mat i the relation = £ ^ 

an* nor i*ri< >ii|» h to prow certain simple properties, which however can lie easily 
proved by circular -A-coinductiou. 

Suppose one wants to prove r hat zip(odd(S) , even(S)) = S holds in the 
bvhav ioi al specification of Sulisectiou 2.1. Let i is choose tin* standard (strong) 
cobasis _i = { headl •). tail! •; [ . For A-coinduction. one has to prove that 
head(zip( odd(S y even(S M i = E,j ^ head(S). which follows l>v equarionaJ de- 
duction, and that tail{zip(odd(Sy evenjS))) = % A tail(Si. which reduces to 
zip( events,), even! tail(S))) = £ q ^ tail(S). By A-coinduction. one similarly 
generates two other subgoals. namely head(zip(even(S). even( tail(S)))) = £ q A 
head( tail(S)), which is easy, and tail(zip(even(S),even(tail(S)))) =£ q A 
tail(tail(S)). which reduces to zip(even(tail(S)). even( tail(tail(S) ))) = g A 
tai 1 ( tai 1(S) ). Since the last subgoal is nothing but t lie previous (hidden) one 
where S is replaced by tail(S). this procedure will loop forever, and thus does 
not v\oik. But circular coinduction will detect this circularity and terminate, 
deviating the initial goal proved. Before we discovered and implemented circular 
coinduction. BOB.J either froze or reported a 'segmentation fault" when asked to 
automatically prove such properties. We encourage the interested reader try to 
pone odd( zip(S. S ii == £ q S with basis coinduction. and to discover another 
seemingly hopeless circularity there. 

4.2 Circular zl-Coinduction 

Let b — (27, r, E) be a fixed behavioral specification for this subsection. To 
ea^e the presentation, suppose that A is a complete set of observers. Technically 
speaking. A can be a strict robasis but the proofs are slightly more complicated; 
although we haven t yet proved the correctness of circular coinduction for general 
cobases, this doesn t seem to have any practical relevance, since all the concrete 
co bases we know are either complete sets of observers or are strong cobases. We 
consider all equations to be quantified by exactly the variables that occur in 
their two terms, and omit them whenever possible; we also write t ■ = t' instead 
of 8 (= (VX) t = t'. 

Definition 9. Substitutions <9, 8 ? : A — > ) are behaviorally equivalent, 

written 8 = 8', iff 8(x) = 0'(x) for every x E X. Terms t and t ' are strongly 
behaviorally equivalent, written t = t\ iff for any 6-algebra .4 and any 
r i’ r -> ' \ A with r^x) = £ t>* ( x ) for each x € X , r^t) = £ T 2 (t f ). 

Notice that = is symmetric and transitive but may not be reflexive, since, for 

example, terms of the form cr(xi x n ) are not strongly equivalent to any term 

if <7 is not congruent (see also 5 of Proposition 4). 

Proposition 4. The following hold: 



I t zz t' unplir . s / — 

/ t = u ijj t ~ u. who never u is a T -term 7 ; 

i. t - /' iff ' f/[ = “[/'] for all t ippnrprintt 1 F -experiments 7; 

f = C um/ 9=9* imply 9[t) = 

>. 'T /.v eonyrnevt iff er{.r { / n ) = /T(.r, r„ ) . 

Proof 1. I hi^ is st might forward since one ran take r { — 77 in Definition 9. 

- t = it then t = n by 1 . Now suppose that t = u and let 77 . r» be like in 
Definition 9 . Since u contains only congruent operations, then one can easilv 
sIkjw by structural induction that nO) =t r»(u). On the other hand, since 
r t D ) 77 (u) and r 2 (M = {-. r 2 (u). it follows that t ii u . 

3 . Suppose that t = that 7 is a /’-experiment and that 77.77: c«r(f.f') U 
car{-,i -s .4 are maps as in Definition 9 . It is immediate that 77(f) = £ 

Since contains only congruent operations, it can be easily seen that 77(7^]) = 
-d- I 77 f t i j ( 77 ) = (r 2 ( t * !)( 77 ) = ( To ( 7 ' ) ) ( 77) — r 2 (7[t']). Conversely, suppose 

that 7 [f] = 7 (C] for all appropriate /’-experiments 7, and let 77 . r_> : mr(f.f') -4 
.4 l>e two maps as in Definition 9 . It suffices to show that for anv /"-experiment ~ , 
, 4 -.(,i(fi = .4 ( 77 ( / m as functions in [(ror(') — . 4 ) — s . 4 ]. Notice that giving 
a function in [<v/r(-. ) — . 4 ] implies extending 77.72 to functions cur(/.C)L 
curfsi — A, in which case. .4^(77 (/)) = n (-[/]) = . 4 ,(r 2 ( 7 ; )) = r 2 ( 7 [*']). 

4 . this follows by noticing that for any 77.771 : F -> .4 with 77(1/) =£ and 

any 9. 9 : A — * 77 * ( } ) with 9 = 1 9 '. it is the case that the maps 9 : 77 . 77 : A — > 

.4 also satisfy the property that ( 0 : m )(•**) =r* ( 0 ': r 2 )(.r) for each .r € A . 

o. cr is congruent iff .4^00 a n ) = AJa\ a' n ) for any a,./; a M .< with 

'b = (/ t a n = (l n r i(^(J’i J'n)) = r^icrix i j* ri )) for 77 (.r,) = a, and 

r 2 (.r,) ~ a' t for all 1 < / < n iff <7(.n r„) = <7(.n jr fl ). 

For the rest of the section, we assume some well-founded partial order < on 
/’-contexts which is preserved by the operations in F. For example, one such 
order is the depth of contexts. 

Definition 10. Terms t and t ' are .A -coinductively equivalent iff for each 
appropriate S 6 A, either 6{\\ .t) = 6 (\\ } t f ) = u for some T -term u, ord{\V,t) = 
0(c[t}) and = 9 , (c[t , \) for some 9 = 9' and c < 6. 

Theorem 3 . If t and t 1 are A - -coinductively equivalent then t s t l . 

Proof. We first show by well-founded induction that for every appropriate ex- 
periment 7. 7 [t\ = 7[f']. Let 7 be any experiment and assume that 7 ; [f] = 7 / [C] 
for all experiments *)' < 7. Since A is a complete set of observers, there is some 


' We write T- terms* 1 for simplicity, but the result holds for all terms built with 
congruent operations. 



< \\'| h * r i in* 'lit ~ : n such that 7 — 7 /, [ 3 j for soiiir a A. II then* is some / -term //, 
si n fi r hat 3( (( , / 1 = 3(11,^) — u thru *. [/J — 7 [/'] = ',"[*/] and 7 "\ n j is a I - term, 
so I iy J of Proposition 4. >[/) = '<[/']. On the other hand. if <)( IT. / ) = tf(c[/|) ami 
3( It . (/■[/']) for sonu* tf — tf 1 and r < a, thru since tin* variables appearing 

in contexts an* assumed to hr always different from tin* other variables, one gets 
that "[/] ~ * ^[r[tj]) and -J/*] = tf'\ * // [r[/ / ]| i. and so by tin* indnrtiun hypothesis 

for -/ = -, /# [r] < 7 "[3] = 7 and 4 ot Proposition - 1 . 7 [/] = 7 [/ ; ]. Tin* n*st follows 
by 3 of Proposition 4 . 


rherrtore we ran add a new inferenc e rule. Since in most rases tf — tf* . we lt*r 
= £>! j he th<- relation generated 8 by the rules { 1 ) - ( G ) in Subsections 3.1 and 
3.5 and the following: 


(7) A -Coinduction : 


IS(WJ) =1 u = : p 3(U'd') 

Eq. J £//.J ; 

where u is some T- term) or 

(S(\\\t) = : £qA 0(r[/]) and <){\Vj r ) = ^ i9(r[P]) 

for some <: < 3) for all appropriate 5 £ A 

t = P t' 

Eq.A 


Iii order to prove that t = t f . one ran prove now that t = ^ t f . For 

£ q. j 

example, to prove that zip(odd(S), even(S)) ^ S. the property that sent 
J-roindurtion into an infinite loop in Subsection 4.1. one can first prove that 
zip(even(S), even(tail (S) ) ) = £, tail (S) by {head , tail} -roindurtion 

(if 3 is head then we are in the first case of (7) and if 3 is tail then we are in 
the second case of (7) with c = * and <9(S) = tail(S)). and rhen to prove by 
(head , tailj-coindnetion the original behavioural equality as in Subsection 4.1. 
We suggest the reader prove that odd(zip(S >S ’ ) ) = S also by (head, tail} 
coinduction and then prove both statements by {head , odd , even}-coinduction. 

BOB.I implements circular eoinductive rewriting [14.13]. an algorithm that 
combines the coinduction inference rules presented in this paper with behavioral 
rewriting, an adaptation of term rewriting to our behavioral equational deduc- 
tion system; this can automatically prove all the reasonable statements that we 
know r , including all those mentioned in this paper, and all those that w'e tried 
from examples previously done by CoClain [6] using complex heuristics, but of 
course new inference rules may be needed for more exotic examples. 


4.3 Congruence Criteria 

The simplest way to find a cobasis for a behavioral specification is to guess 
one and then to show' that all the other operations are behaviorally congruent 

A Strictly speaking, =Eq * n ru ^ es (1 )“(■*>) and = A is rule (6) should be replaced 



tor :\. Nprcifir;ir ion having tin* same 4 *< { 1 1 ; 1 1 i< m> mid operations as the original 
specification I > 1 i f only the guessed operations declared as behavioral (see [IS. 
2b] tor more detail;. Siner one of our major goals is to automate the process of 
behavioral Reduction in BOB.F. flu* problem ot automatic detection of eo bases 
plays a crucial role. BOB. I implements a heuristic that works well in practical 
situations, and is based on the following criteria, which follow from Theorem 

3. Tin* lirsf congruence criterion, which we will call the I3H criterion, is the 
essence of that in [3j: 

Corollary 1. G iron a complete set A of observers and some rr G 27 such 

that for rack t) G A. either d[<7i jti r fI j] = u for some T-tenn it. or else 

r a)] = /,J] for some r -terms t t n and c < 6. then a is 

congruent. 

Proof. Theorem 3 with t = t' = r„) and 0 = 9' with 9(s,) = t, for 

all 1 < t < n. gives afTi r„) = r„). Then 5 of Proposition 4 gives 

congruence of rr . 

The following simpler but common congruence criterion, which we here call 
the RG criterion, was presented in [2 1 ] together with the suggestion that it 
could be easily implemented in a system like CafeOBJ: 

Corollary 2. Given an operation ut I surh that for each <) G /\ if the equation 
<>[^(>1 v n )] — u for some F -term a is in E . then rr is congruent . 

Proof. This is the special case ot the BH criterion where A — r and there is no 
circularity (i.e.. recurrence) in t lie definition of rr. 
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